Pagine

Security - Exchange Zero Date Vulnerability #CVE-2021-26855

These vulnerabilities permits to access, without any authentication, to all Exchange mailboxes contents.

This is possible on all Exchange servers that are published, on internet, through OWA (attacker need onlty to know user account name)

Afterward attackers created several backdoors, through aspx webshell, creating AD credentials dump. (having horizontal attacks possibility)

There are two scenarios:

  1. Standalone: require single user (SID) (more difficult)
  2. Cluster (DAG) only end user email name is required.

Attack is possibile only if you know server FQDN (but this is easy to be knwon sending an http post call to Exchange Web Services)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855

Patches are here available: (for Exchange 2010 too)

https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b

Other articles:

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-server-2016-and-the-end-of-mainstream-support/ba-p/1574110

https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/

https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901

https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

https://docs.microsoft.com/en-us/exchange/troubleshoot/client-connectivity/exchange-security-update-issues

[original articles]

https://www.windowserver.it/2021/03/exchange-server-sotto-attacco-cosa-sta-succedendo/

https://www.wired.it/internet/web/2021/03/05/microsoft-exchange-hacker-cina/


[update 2021.03.19]

Automatic on-premises Exchange Server mitigation now in Microsoft Defender Antivirus

https://www.microsoft.com/security/blog/2021/03/18/automatic-on-premises-exchange-server-mitigation-now-in-microsoft-defender-antivirus/

[update 2021.03.24]

https://edge9.hwupgrade.it/news/security/attacco-ad-exchange-server-anche-tim-business-colpita-e-intanto-microsoft-teme-la-fuga-di-notizie-interna_96269.html

[update 2021.03.29]

How to Recover Exchange Server after Black KingDom Ransomware Attack?

https://www.stellarinfo.com/blog/recover-exchange-server-after-black-kingdom-ransomware-attack/